Sigh....anothere exe_virus has bypassed SD v1.1.0.262

Discussion in 'sandboxing & virtualization' started by nanana1, Jun 16, 2008.

Thread Status:
Not open for further replies.
  1. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    Sad that so soon another virus named soft10.exe has emerged to bypass ShadowDefender v1.1.0.262.:oops:

    Tony has been informed and is working on it now.

    Expect v1.1.0.263 very soon !:ninja:
     
    Last edited: Jun 16, 2008
  2. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    More importantly though, is it in the wild or is it POC. Additionally, what are the chances you will come in contact with it.
     
  3. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    For those who are interested,

    Ilya has informed me that DefenseWall successfully blocks and contains the soft10.exe virus. As for me, with Returnil 2008 Personal Ed.'s "session lock" enabled under Vista 32 SP1 with hardware DEP enabled, upon execution this virus crashes.


    Peace & Gratitude,

    CogitoErgoSum
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    AE also will detect and remove it immediately as an unauthorized executable.
    To me, ISR-softwares don't have to protect themselves against this type of malware, because they are recovery softwares.
    Security softwares or security settings have to protect ISR-softwares against this type of malware.
    Let each software do its job, after all SD is not a Anti-Malware scanner.
    ShadowProtect doesn't protect itself against this malware either.
     
  5. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Totally agree! I have another programs which kill soft10.exe
     
  6. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    thats what i was claiming in the cs.exe thread , they just need to be able 2 work correct in working environment not in filthy place of malware.

    chers:)
     
  7. pidbo

    pidbo Registered Member

    Joined:
    Dec 25, 2006
    Posts:
    198
    It is out now
     
  8. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    can anyone tell me what this virus attempts to do?
     
  9. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
  10. tusque

    tusque Registered Member

    Joined:
    Jan 31, 2008
    Posts:
    16
  11. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    to my understanding..ISR software are bypassed/killed by means of disabling their ability to protect/restore MBR successfully..one can have imaging software,back up his MBR and set imaging software to restore daily,when not in ISR mode...MBR ISR insurance if u will :D u do not even need to reboot ur machine
     
  12. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    restore MBR with imaging software,you have to restore whole part. in order to restore MBR. Its only possible outside Windows,have to boot/reboot obviously. If it is the real cause like you said,then boot to recovery console and do fix mbr and your done but then the mal. stuff on your disk will cause same problem again !
     
  13. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    well at least with acronis true image home restart is not necessary...feel free to try..
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Until now I never met a malware that killed my ISR-software, but my ISR-software was killed 3 times by installing new legitimate softwares in 2 years.
    All these ISR-threats don't have a chance, when you have an anti-executable solution on board.
    Even when it happens and it did happen already 3 times without malware, ShadowProtect will save my system.
    ISR-threats are pure routine work to me, because each time, when I update my system partition, I use the same procedure when I was hit by an ISR-threat, but that won't happen because Anti-Executable will kill them immediately.

    Of course when users
    - are not prepared
    - don't have an Image Backup software
    - only have an old image to restore
    - only have an infected image to restore
    then ISR-threats and many other threats can be a serious problem and they will waste alot of time to fix it.
    If you have Windows + Applications + Data on ONE partition and your image is old, then you will even lose data and losing data is the worst scenario. Most images are from yesterday or older, which means you will lose your data of today or even worse.
     
    Last edited: Jun 17, 2008
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    What about ... not running suspected executables and thus avoid the dilemma?
    I know this sounds strange, but why try murder the operating system?
    Mrk
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Indeed, but most users don't care about that. They want a new screensaver, they want to try new softwares from anywhere, etc. No wonder they get infected.
     
  17. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,

    Most users don't know about instanty recovery software either.
    I'm talking about YOU and all other SD users - why do you use the program?

    So you can have flexibility in your setup?

    OR

    So you can try to break it?
    So you can see what dangerous program that you should possibly never run in sanity can damage / destroy / infiltrate the OS?

    Mrk
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It,s just another dog. Let me reapeat it will be a cat n mouse game. It might be just futile to run after such threats.

    Best policy will be to implement an add-on in an ISR that can stop driver/ service install and direct disk access, MBR access etc and this add-on can be enabled by the user if he feels the need to do so. Not so many updates will be needed then.

    It,s just my thinking and I am not a programmer, just an ordinary user.
     
    Last edited: Jun 17, 2008
  19. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    or something that kill treats instantly if accessing memory,Boclean ?
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That's why most users get infected all the time, when they use a normal system without ISR or IB. I don't need ISR (= luxury), I need minimum IB (= necessity), but I like luxury because I'm lazy.
    Of course I have flexibility with ISR on board, I can do the same things, like in the past, but without the garbage like in a normal system.
    The expression "frozen system" doesn't mean you are stucked with an annoying system that makes everything difficult. If that is the case, you don't know how to use it.
     
  21. wat0114

    wat0114 Guest

    My thoughts exactly!

    I can't believe these epic threads where people are getting bent out of shape because xyz.exe bypasses the latest sandbox application and then everyone is all happy because the developer of the sb will produce a fix for it post haste. As Mrkvonic says, just don't run suspect executables. It's that simple!
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Certainly not IMO. BOClean is just another signature based product that might fail so easily.
     
  23. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    As I already said, also legitimate executables can corrupt your system due to compatibility problems with your entire system.
    You also have to get rid of a software completely, if you don't like it. I don't trust Add/Remove or even uninstallers to uninstall a software completely.
     
    Last edited: Jun 17, 2008
  24. wat0114

    wat0114 Guest

    Hi ErikAlbert,

    fwiw, I quite like your approach to system security because it's different, thinking "outside the box" as it were :) You don't have to worry about piling on a battery of different security apps in hopes of thwarting every conceivable malware threat on the planet. Not only that, your reasons given above are also no doubt valid. My mindset has changed considerably of late, as I tend to now take a more laid back approach to home computer security. Mrkvonic's approach used to bug me, as I thought he was too casual about things, but in truth he has many valid points in his approach, Just using common sense and a minimal security package, some degree of LUA and perhaps SRP (though I don't particularly like with the latter) is all that is really required to avoid malware infection. I have got custom modified (more restrictive than default) "Power user" accounts set up on all three of my XP machines, with a limited Windows Services profile and there has been no malware in > 5 years. This way no one is completely shackled. I use common sense in what I'm doing as well as what my family does. They do not surf stupid sites and I have told them to never click on links or launch attachments in email, as well as other "best practice" computer use habits. No stupid messenger services either. They do very well considering they have minimal understanding of how computers and the Internet work.There is only a software fw (with a custom made, tight ruleset) and AV on these machines all behind a router. ATI images are in place for all machines just in case. Recovery, if needed, is quick and easy.

    In truth, all three machines could have been running full Admin over this long duration and there still would not have been malware infections, simply because malware has never been encountered on these machines in this time, other than once when NOD32 was triggered by a suspect wallpaper download. It was not downloaded.

    As for my latest "xyz.exe-bypasses-sandbox-application-rant", it is because "what is the point?" It will never end with these latest exploits, and vendors will always be scrambling to patch yet another stupid hole to satisfy their customers. Hackers must be having a riot reading over these threads. As has been mentioned, just use common sense and don't launch suspect files. Malware will be nothing to worry about.
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Here, here.

    Untill a simple small standalone app ever becomes developed for simple install-it-and-forget-it against these MBR disrutpters, Faronic's AE is an absolute positive against these executables in any form.

    Seems a lot of attention is being given lately to malware makers to try to infiltrate partition/MBR which in my opinion is as destructive as file infectors ALMOST.

    And it requires stopping everything you're doing if hit by one of these and inserting a CD with say TESTDISK or another MBR app that can safely return the written crap back to it's original state.

    EASTER
     
Loading...
Thread Status:
Not open for further replies.